Scan and Installation

requirements

1
CSAT version 2.05 Scan and installation requirements
 Cyber Security Assessment Tool
Scan and installation requirements

Copyright notice
©2023 QS solutions B.V. and its subsequent entities. All rights are reserved.

The information contained in this e-mail or document is exclusively intended for the addressee[s]
and may contain personal or confidential information, subject to a professional privilege. Any use of
this information by others than the addressee[s] or by persons not entitled to access this
information is not permitted. If you are not the addressee or if you are not entitled to access this
information, you are obliged to refrain from disclosing, multiplying, distributing and/or providing this
information to third parties and you are requested to return this e-mail/document and destroy the
original.

Disclaimer
The use of this document is for informational purposes only and reflects the publisher’s opinion as
per date of publishing. Liability is limited to the publisher’s terms and conditions as depicted in the
underlaying master-agreement and/or purchase order.

2
CSAT version 2.05 Scan and installation requirements
1. CSAT general information
CSAT Installation and Data Storage
The Cyber Security Assessment Tool (CSAT) is installed in your IT infrastructure. CSAT collects data and
stores it on a machine within your infrastructure. The data is not shared with any third party, so only
those authorized by your organization can access it. There is no method for QS solutions or any third
party to access the data on the machine, other than parties provided with access by your organization.

To install CSAT, you can either use the pre-installed CSAT Azure Marketplace offering, or install CSAT
on a local machine. Use the flowchart below to decide which option works best for you.

You are going to

install CSAT

Do you have an
Yes
Azure Subscription?

No
Are you willing to
Is there a site to site
setup a (temporary)
No No VPN connection to
site to site VPN to
Azure?
azure?

Yes

Install CSAT on a Consider using the

local server Yes Azure Marketplace
CSAT offer

Indicated CSAT Server Database size

The collected data is stored in a PostgreSQL database. The default CSAT installation will
install PostgreSQL on the CSAT machine. PostgreSQL is an open source relational database, that will
be sufficient for the majority of the assessments. The following are examples of database sizes.
• When scanning 100 endpoints without a browser scan, the database size is usually around
200 MB.
• When the browser scan is enabled for 100 endpoints, the database size is usually around
450 MB.
CSAT version check
The CSAT server will regularly check if there is a new CSAT version available. The URL used by CSAT
to check for a new version is https://getlatestversion.azurewebsites.net/.

NIST CPE and CVE check

To analyze threats related to the running and installed applications on your scanned endpoints, CSAT
relies on the NIST Common Platform Enumeration (CPE) Dictionary and the NIST Common
Vulnerabilities and Exposures (CVE) data Feed. CSAT uses the following URL for this function:
https://vulnerability.cybersecurityassessmenttool.com.

3
CSAT version 2.05 Scan and installation requirements
2. CSAT Server Requirements
CSAT installations only work on clean operating system installations. This means the operating
system is a default Windows installation, using Microsoft installation media, and is not joined to a
domain. Existing components or hardening may interfere with the CSAT components.

If you want to apply hardening, and Active Directory Domain Policies to your operating system, you
should do this after installing CSAT. Installing CSAT on a system that's not a clean installation could
fail and possibly make the device unstable or unusable for its purpose.

The following Operating Systems are supported to install CSAT server:

- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows 11 Professional or Enterprise, build 21H2 or newer
- Windows 10 Professional or Enterprise, build 22H2 or newer

When you install the CSAT server software, it will also install PostgreSQL and Microsoft .NET Core on
your device. To install CSAT, you must have (local) administrator privileges on the device.

During the installation, the CSAT server needs to connect to

"https://download.microsoft.com/download/" and
"https://go.microsoft.com/fwlink/?LinkID=2099383" to download .NET framework, if necessary.

The minimal requirements for the CSAT server are:

Windows updates Up to date with the latest Windows updates
CPU cores Four CPU cores
CPU speed 1.4 GHz (2.0 GHz recommended)
Memory 8 GB
Hard disk At least 60 GB of free space (SSD recommended)
.NET Framework Version 4.8 or higher

Should you choose to use an Azure Virtual Machine, we recommend using the Azure template
D4s_v5 or one with better specifications. CSAT is also listed in the Azure Marketplace.

For the best CSAT experience, we recommend using CSAT with either Edge or Chrome on the CSAT
server.

4
CSAT version 2.05 Scan and installation requirements
3. Scan requirements
List of required credentials to setup the scans
This is the list of required credentials for setting up the scans. Credentials are to be provided in the
CSAT user interface.

• Active Directory
o Domain user (single forest scan)
o Domain Administrator (multi forest scan)
• Google Workspace
o Google Workspace administrator account
• Microsoft Cloud
o Account with Global Administrator permissions
• Amazon Web Services (AWS)
o Account with AdministratorAccess role
• SharePoint On Premises
o An account with Site Collection Administrator permissions
• Endpoints
o Windows: Local administrator or Domain administrator permissions
o Linux (SSH): SUDO permissions
• GitHub
o User with permissions to add a GitHub app to the organization

Active Directory
CSAT uses LDAP or LDAPS (over SSL) to collect data from Active Directory (AD) by executing LDAP(S)
queries to an AD domain controller. To make sure the AD scan works, make sure that the LDAP(S)
ports and the 'active directory local security authority ports' are allowed. You can find these ports on
this page: https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-
overview-and-network-port-requirements#active-directory-local-security-authority.

You can start an AD scan of a single domain with a normal user account. To scan a forest, you need
an account with domain administrator permissions.

If you enable the 'LAPS GPO scan' option in the AD scan, a dissolvable agent is used to collect the
GPO information. After the dissolvable agent finishes scanning and uploading the data to the CSAT
server, the downloaded files and directories are automatically removed from the endpoint. This
means no CSAT related footprint is left behind, following the principle known as "dissolvable agent"
or "agentless."

Google Workspace
CSAT uses Google API to scan the Google Workspace environment. To use this feature, you need to
create a Google Developer application during the scan setup. To scan, CSAT needs to access
"https://www.googleapis.com" and all its subpages. If your security policies restrict access to certain
URLs, make sure to allow these for the CSAT server.

The CSAT scan does not work when there is a proxy server or SSL inspection in place. The CSAT
server traffic needs to be exempted from the proxy/SSL inspection. When using a proxy, ensure that
throttling is configured to not cut off the connection. Some scans may take a couple of days to
complete depending on the size of the environment.

5
CSAT version 2.05 Scan and installation requirements
Microsoft Cloud
CSAT uses the Microsoft Graph API to scan Microsoft Cloud services. To do this, an Azure Active
Directory application needs to be created on the Azure tenant to be scanned. This app must be
approved by a Global Administrator and will be created during the scan setup.

During a Microsoft Cloud scan, the CSAT server needs to be able to access various Microsoft services.
You can find a list of these services at https://docs.microsoft.com/en-us/microsoft-
365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide. The CSAT server also needs to
access https://csatreleases.blob.core.windows.net/public/ and
https://csatrelease.blob.core.windows.net/release/ to create the Azure Active Directory application.

The CSAT scan does not work when there is a proxy server or SSL inspection in place. The CSAT
server traffic needs to be exempted from the proxy/SSL inspection. When using a proxy, ensure that
throttling is configured to not cut off the connection. Some scans may take a couple of days to
complete depending on the size of the environment.

To create the Azure AD application in the correct tenant, use a "Member" type account to log in to
the "AzureAppCreator" tool from CSAT. If you use a "Guest" type account, the application won't be
created on the correct tenant.

Amazon Web Services (AWS)

To scan Amazon Web Services (AWS), CSAT uses the AWS API to gather information through REST
calls. For the best results, it's suggested to create a temporary scan account in the AWS environment
that is to be scanned. An AWS Administrator with the 'AdministratorAccess' role should create this
account. The account will be created during the setup of the scans.

SharePoint On-Premises
CSAT uses two methods to collect data from SharePoint On-Premises. The first method collects data
using the SharePoint API service, which has some requirements:

- Your SharePoint edition must be 2016 or newer, and either Standard or Enterprise edition.
- The ports 80 and 443 must be allowed between the CSAT server and SharePoint server(s).
- The Search service application must be enabled.
- You need a SharePoint administrator account with the role of "Site Collection Administrator"
for all the site collections you want to scan. This account must run under the Search service
application.

The second method collects data with a dissolvable agent called "SPcsat_dwnldr.exe" and
"SPcsat.exe". This agent works the same as the endpoint scan dissolvable agent.

Endpoint Scan
Windows endpoints
To scan Windows endpoints, you can use one of the following methods:

1. Scan Scope Method: This method is suitable for Windows Domain joined endpoints or
endpoints that can directly connect to the CSAT server.
2. Cloud Scan Script Method: This method is used for Windows endpoints that cannot directly
connect to the CSAT server.
3. Run Once Script Method: This method provides a manual scan option.

6
CSAT version 2.05 Scan and installation requirements
Dissolvable agent
All scan methods utilize csat.exe to collect data from the endpoint. Once the scanning process is
complete and the data is uploaded to the CSAT server, the downloaded files and directories are
automatically removed from the endpoint. This approach is called a "dissolvable agent" or
"agentless," ensuring that no CSAT-related traces are left on the endpoints.

1. Scan scope method

CSAT utilizes three different techniques to send the dissolvable agent to the endpoints.

• The first technique is Remote Scheduled tasks. A scheduled task is created on the endpoint
that will download the agent file from the CSAT server and start the agent.
• The second technique is the WMI with SMB support. The agent will be sent over SMB to the
endpoint. The sent agent will be started through WMI.
• The last technique is via WMI only. The agent will be sent as an encoded file over WMI and
decoded. A command will be sent over WMI to start the agent.

The above techniques will be tried sequentially. If one technique does not provide the appropriate
response, CSAT will try the next technique. Because certain techniques require certain features or
firewall rules to be enabled.

When a technique is used that involves WMI, it is important to ensure that the WMI services are
properly configured on the endpoint to collect comprehensive information. Issues like corrupted
WMI repositories or incorrect client network setup can result in limited data collection.

2. Cloud scan script method

This method utilizes PowerShell scripts to deploy the dissolvable agent to endpoints. It is particularly
useful when employees are working remotely or when endpoints are managed through Azure AD
and Microsoft Intune.

Prerequisites for using the cloud scan script method are as follows:

• An active Azure Subscription is required.

• Microsoft Intune or another MDM solution capable of deploying PowerShell scripts to
Windows endpoints is necessary. The provided scripts are specifically designed and tested
for Microsoft Intune.
• Windows endpoints must be actively running and managed by Microsoft Intune or another
MDM solution.
• The CSAT server requires .NET Framework 4.7.2 or a higher version.

3. Scan once script method

The scan once script method involves using a script to establish a connection with the CSAT server
through port 8080. It retrieves the CSAT dissolvable agent, executes it, and sends the collected data
back to the CSAT server via port 8080. The endpoints where the script is executed must be capable
of connecting to the CSAT server through port 8080.

Network traffic and CPU usage

The dissolvable agent sent to endpoints is small, less than 5 MB in size. It is not sent to all endpoints
simultaneously but is based on the number of CPUs in the CSAT server. Let's look at the following
examples to understand the distribution:

• If the CSAT server has four CPUs, the dissolvable agent will be sent to two endpoints at a
time.

7
CSAT version 2.05 Scan and installation requirements
 • If the CSAT server has five CPUs, the dissolvable agent will be sent to four endpoints
simultaneously.
• If the CSAT server has more than five CPUs, the number of simultaneous dissolvable agents
sent is the total number of CPUs minus two. For instance, if the CSAT server has fifteen
CPUs, the dissolvable agent will be sent to thirteen endpoints at the same time.

During the endpoint scanning process, CPU usage ranges from 1 to 5 percent, and memory usage is
between 40 and 70 MB. Once the data is collected, it is compressed into a zip file and sent back to
the CSAT server. Typically, the size of the zip file is around 100 KB. Since not all endpoints are
scanned concurrently, the data sent over the network from the scanned endpoints to the CSAT
server usually peaks at around 100 MB.

Linux endpoints
To gather information from Linux endpoints, the scanning process is done through SSH. You can scan
a Linux endpoint by enabling SSH on it. Here are some key points to consider:

• Ensure that the configured SSH port is open both from and to the endpoint(s) and the CSAT
server. The default TCP port for SSH is 22, but using a custom configured SSH port is also
supported.
• Make sure that the account used for scanning has SUDO permissions. This ensures the
necessary privileges are granted to collect the required information.

Indicated Endpoint scan running time

The chart below shows the agent's running time and the size of the resulting zip file based on the
selected scan options.

Client type Scan level Browser scan Average scan time Zip file size
Windows Client OS 5 Off 2 min 0,2 MB
Windows Client OS 5 On 2 min 02 sec 1,2 MB
Windows Client OS 9 Off 2 min 0,4 MB
Windows Client OS 9 On 2 min 30 sec 1,5 MB
Windows Server OS 5 Off 1 min 10 sec 0,1 MB
Windows Server OS 9 Off 1 min 15 sec 0,2 MB

Endpoint scan requirements

For endpoints to be successfully scanned by CSAT, they need to meet the following requirements:

• .NET Framework: Ensure that the endpoints have at least version 3.5 or higher of the .NET
Framework installed.
• Network configuration: If you have internal firewalls, VPN, IPS, IDS, or network ACL solutions
in place, make sure they allow traffic from the CSAT server to the targeted endpoints. Ensure
that there are no blocking rules that would hinder communication.
• Anti-virus/Anti-malware Software: Check that the anti-virus/anti-malware software permits
the execution of CSAT.exe in the C:\windows\temp folder.
• Windows Endpoints: To scan Windows endpoints, use a local administrator or domain
administrator account. We recommend creating a temporary CSAT scanning account, which
can be removed or inactivated after the scan is completed.
• Linux Endpoints: For scanning Linux endpoints, ensure that the specified account in the CSAT
scan scope is a member of the sudo group. This is necessary as certain commands require
sudo permissions.

8
CSAT version 2.05 Scan and installation requirements
To enable scanning by the CSAT server, inbound firewall rules must be enabled for the active firewall
profile on the endpoints. Windows Firewall includes predefined rules that need to be enabled for
the active firewall profile. The required ports are listed in the next section.

GitHub
To collect information from GitHub Advanced Security, the CSAT server must have access to the
GitHub repository and organization URLs. CSAT will use a GitHub app to scan. Hence, the account
being used should have the permission to create this GitHub app.

Email DNS
During the Email DNS scan, the CSAT server collects information about DNS Sec, SPF, DKIM, and
DMARC from external DNS records. For DNS Sec information, the CSAT server needs to access
mxtoolbox.com and its subpages. The default IP addresses used to collect SPF, DKIM, and DMARC
records are 1.1.1.1 and 8.8.8.8. This information is gathered using the UDP protocol.

SNMP
You can collect information from devices that have the SNMP v1, SNMP v2, and SNMP v3 services
enabled. To scan SNMP devices successfully, ensure that the SNMP UDP port 161 is open for
communication between the SNMP devices and the CSAT server.

Antivirus software exclusion

If certain antivirus software products block the execution of the dissolvable agent, used for the
endpoint scan and Active Directory LAPS scan, you may need to create temporary exclusions in your
antivirus solution. Consult your antivirus documentation for instructions on adding these exclusions
in the management portal.

For the three endpoint scan methods explained earlier, the following antivirus exclusions should be
applied:

Scan scope method:

• C:\Windows\System32\cmd.exe (Used by the WMI only technique)

• C:\Windows\System32\certutil.exe (used by the WMI only technique)
• C:\Windows\Temp\csat\csat.exe
• C:\Windows\Temp\csat\csat_dwnldr.exe

Cloud scan script method and Scan once script method:

• C:\Windows\Temp\csat\csat.exe

9
CSAT version 2.05 Scan and installation requirements
Firewall / Network Requirements
CSAT utilizes the following ports for its services.

On the CSAT server:

Port number TCP, UDP Explanation
443 TCP, inbound To connect with Office 365, SharePoint Online and AAD scan
TCP, outbound (From CSAT server to the internet) and the collector service
8010 TCP, inbound Collector service, to send information about the dissolvable agent and
TCP, outbound retrieve data from the dissolvable agent(s) that are scanning
8080 TCP, inbound Deployment service, to deploy the dissolvable agent (from CSAT server
TCP, outbound to targeted internal endpoints/subnets)
8093 TCP, inbound Collector service, to display the status of the service
TCP, outbound
53 TCP, outbound DNS, outbound to both internal and internet DNS servers
389, or TCP, outbound LDAP, outbound to the Active Directory Domain Controllers
686 TCP, outbound LDAPS (secure LDAP)
161 UDP, both SNMP, outbound from server to endpoints
SNMP, inbound from endpoints to server
22 TCP, outbound SSH-traffic
The following ports are meant for internal use only by the CSAT Server and should not be accessed
from the network/internet.

Port number TCP, UDP Explanation

4432 TCP, inbound CSAT Portal, no outbound traffic
8018 TCP, inbound Enumeration service, no outbound traffic
8090 TCP, inbound Analysis service, no outbound traffic
8288 TCP, inbound Used by the Network service, no outbound traffic

On endpoint devices:
The following ports are inbound for the active firewall profile. It is highly advised not to enable
these ports within the Public Network profile. Depending on your network security
policy/configuration, in certain network environments, you may need to add the IP address of the
CSAT server as the originating IP address to the firewall rules mentioned below.
Firewall rule name Group Port Used for Used by
technique
File and Printer File and Printer 139 NetBIOS Session to WMI only
Sharing (NB-Session- Sharing the endpoint
In)
File and Printer File and Printer 445 send SMB data for WMI only
Sharing (SMB-In) Sharing the dissolvable agent
Remote Event Log Remote Event Log RPC Dynamic Create and run the Remote
Management (RPC) Management Ports CSAT task Scheduled tasks
Remote Scheduled Remote Scheduled RPC Dynamic send SMB data for Remote
Tasks Management Tasks Management Ports the dissolvable Scheduled tasks,
(RPC) agent, or create and WMI with SMB
run the CSAT task support, WMI
only
Windows Windows 135 Initial WMI WMI only
Management Management connection
Instrumentation Instrumentation
(DCOM-In)

10
CSAT version 2.05 Scan and installation requirements
 Windows Windows All (only allow Send the CSAT WMI with SMB
Management Management svchost.exe) dissolvable agent support, WMI
Instrumentation Instrumentation files to the endpoint only
(WMI-In)
Note: When creating custom firewall rules, ensure they do not conflict with other rules or have block
rules placed before allow rules.

In environments where outbound traffic from endpoints is restricted, it is recommended to add the
following rule to the firewall profile of the endpoint:

Port number TCP, UDP Explanation

8080 TCP, outbound Transport of scan results from the endpoint to the CSAT server

11
CSAT version 2.05 Scan and installation requirements